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ERROR PROPAGATION IN A SYSTEM 
MODEL 

CROSS-REFERENCE TO RELATED 

APPLICATIONS 5 

This application claims the benefit of priority to U.S. Pro- 
visional Patent Application Ser. No. 61/442,648 entitled 
“Method to Propagate Error Associated with Type, Range, 
and Signal Value Data through a Behavioral Model” filed on 
Feb. 14, 201 1 , the disclosure of which is hereby incorporated 
herein by reference in its entirety. 

STATEMENT REGARDING FEDERALLY 
SPONSORED RESEARCH OR DEVELOPMENT 

15 

This invention was made with Government support under 
Contract No. NNA10DE73C awarded by NASA. The Gov- 
ernment may have certain rights in the invention. 

BACKGROUND 20 

Model-based design can be used for hardware and software 
systems (e.g., cyber-physical systems (CPSs)). Data flow 
semantics can be used to specify control algorithms. One area 
in which model -based design is increasingly applied is for the ^5 
design and certification of flight-critical sofWare. In this area, 
MATLAB Simulink and Esterel Technologies SCADE, in 
particular, are widely used in the aerospace industry for mod- 
eling and simulation-based evaluation of avionics CPSs. Both 
Simulink and SCADE use data flow models for model-based 
design. 

Verification tools exist to analyze type and range data in the 
context of data flow models, according to the DO-178B soft- 
ware certification process. Such tools can automate a number 
of previously manual tasks, including code reviews, model 
analysis, and object code testing. 35 

SUMMARY 

One exemplary embodiment is directed to a method pro- 
viding an input signal range corresponding to a range of 40 
expected values for an input signal to a functional block. A 
minimum value error range corresponding to a range of error 
for a minimum value endpoint of the input signal range and a 
maximum value error range corresponding to a range of error 
for a maximum value endpoint of the input signal range is also 
provided. The method maps the input signal range to one or 
more output signal ranges as a function of a range mapping 
function corresponding to the functional block. The method 
also calculates a set of error extended input signal ranges by: 
adding a min endpoint of the minimum value error range to 
the minimum value of the input signal range; adding a max 
endpoint of the minimum value error range to the minimum 
value of the input signal range; adding the min endpoint of the 
maximum value error range to the maximum value of the 
input signal; and adding the max endpoint of the maximum 
value error range to the maximum value of the input signal 55 
range. The set of error extended input signal ranges are 
mapped to a set of error extended output signal ranges as a 
function of the range mapping function. Finally, a minimum 
output error range and a maximum output error range are 
calculated as a function of a difference between the set of 60 
error extended output signal ranges and the output signal 
ranges. 

DRAWINGS 

65 

Understanding that the drawings depict only exemplary 
embodiments and are not therefore to be considered limiting 


2 

in scope, the exemplary embodiments will be described with 
additional specificity and detail through the use of the accom- 
panying drawings. 

FIG. 1 illustrates a computer for execution of a software 
verification tool in accordance with one embodiment. 

FIG. 2 illustrates an example of a data flow model for a 
system under test in accordance with one embodiment. 

FIG. 3 illustrates an example of an interval and error ranges 
associated with endpoints of the interval. 

FIG. 4 illustrates a method for propagating signal value 
error through a functional block in a model in accordance 
with one embodiment. 

FIG. 5 illustrates a data flow model for a system under test 
in which signal value error is propagated through the model in 
accordance with one embodiment. 

FIG. 6 illustrates a data flow model for a system under test 
having both continuous and discrete signals in which signal 
value error is propagated through the model in accordance 
with one embodiment. 

FIG. 7 illustrates a model having a feedback signal in 
accordance with one embodiment. 

FIG. 8 illustrates a model in which the pattern of a feedback 
loop from FIG. 6 has been replaced with the functional block 
implementing a feedback counter function. 

In accordance with common practice, the various 
described features are not drawn to scale but are drawn to 
emphasize specific features relevant to the exemplary 
embodiments. 

DETAILED DESCRIPTION 

In the following detailed description, reference is made to 
the accompanying drawings that form a part hereof, and in 
which is shown by way of illustration specific illustrative 
embodiments. However, it is to be understood that other 
embodiments may be utilized and that logical, mechanical, 
and electrical changes may be made. Furthermore, the 
method presented in the drawing figures and the specification 
is not to be construed as limiting the order in which the 
individual steps may be performed. The following detailed 
description is, therefore, not to be taken in a limiting sense. 

Current software verification tools do not directly handle 
errors associated with signal values (also referred to herein as 
“signal value errors”). A signal value error can occur when a 
representation of a signal value, over which computation is 
performed, is different than its corresponding ground truth 
values. That is, a signal value error can include a difference 
between an actual output signal from a component in a system 
and the ideal output signal from the component. 

This challenge is commonly faced when abstractions, 
assumptions, and restrictions are utilized with the goal of 
increasing the scalability of analysis methods. For example, 
synchronous languages can rely on synchrony and zero -time 
execution assumptions that are typically not valid in a physi- 
cal implementation. 

One example of an abstraction includes a floating-point 
representation of certain numeric values. This floating-point 
representation error is generally proportional to signal mag- 
nitude. In other words a bound for a signal value of one 
million will tend to be greater than a bound for a signal value 
of ten or one. This is because correct rounding may be per- 
formed only to a limited number of decimal places (e.g., 7 for 
32-bit floats, 16 for 64-bit floats, and 34 for 128 bit floats). If 
a decision within a system is dependent upon an expression 
using floating-point rounding, the resulting behavior may not 
be deterministically predictable. Additionally, this source of 
error can be exacerbated for accumulated error. For example. 
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for a loop in which a 32-bit float variable is incremented a 
thousand times, the effect of the error can be present in values 
near one hundred thousand rather than one hundred million. 

A second source of signal value error can be due to hard- 
ware floating-point units that may produce signal value error. 5 
So, for example, even if two floating-point values that have no 
error are multiplied together, the result can still have signal 
value error. 

A third source of signal value error can be due to mixed 
continuous and discrete computation. For example, a con- to 
tinuous sensor signal can be periodically buffered and 
reported. Clock skew, however, can result in the continuous 
signal being captured too early to too late, which may result in 
a value different from the ground truth value. Also, when 
computation uses periodic data that is sampled between peri- 15 
ods, interpolation can be used. Since interpolation is an esti- 
mate, signal value error can be produced from interpolation. 
These error sources tend to be bounded. For example, the 
error arising from clock skew can be bounded by the maxi- 
mum rate of signal change corresponding to the maximum 20 
clock skew. 

Yet another source of signal value error is sensor accuracy. 
This source of error can be constant (e.g., plus or minus 
0.001) across a range of operational values and undefined 
outside of this range. 25 

Signal value errors can lead to differences between the 
semantics of system models and the actual behavior of the 
system observed on an execution platform. By quantifying 
the differences between the “ideal” case and the actual behav- 
ior, the effects of errors can be systematically analyzed, and 30 
the correctness of the implementation can be shown in the 
presence of errors. 

Not only can output values be different than ground truth 
(e.g., ideal) values, but signal value error may also result in 
timing jitter as errors push condition values across discrete 35 
decision points in the code. Essentially, signal value errors 
can non-deterministically affect the behavior and perfor- 
mance of the system controlled by the software. 

Conventional systems have been certified by relying on the 
argument that the error is bounded. In these previous 40 
approaches, a static and conservative error threshold (e.g., a 
tolerance) has been applied to an output signal of the model. 
That is, an output signal value for a model is compared to an 
error interval for that output signal. If the output signal value 
is outside of the interval, the output signal is considered to 45 
have failed. Each output signal can have a different error 
threshold. Flowever, the sizes of the intervals typically 
depend upon the underlying data type. Analysis is typically 
not performed to determine whether the particular tolerance 
is appropriate for the given model. Accordingly, the error for 50 
a given signal is not propagated through the system. 

For example, if a tolerance is plus or minus 0.0001 and an 
output signal value of 2.13 is expected, but a value of 
2.12999999 is measured, the test is considered passed. This is 
because 2.13-0.000K2.12999999<2.13+0.0001. 55 

As system complexity has increased, a signal static toler- 
ance factor can be overly conservative in most cases, while 
not being conservative enough in rare cases. Furthermore, 
applying a tolerance to output signals does not provide a 
mechanism to analyze timing jitter and potential for non- 60 
deterministic behavior that may originate from signal value 
error. 

Embodiments of the present subject matter can enable the 
analysis of signal value errors for system models. In an 
example, signal value errors can be propagated through the 65 
functional blocks of a system model to analyze possible 
effects as the signal value errors impact incident functional 


4 

blocks. This propagation of the errors can be applicable to 
many models of computation including avionics models, syn- 
chronous data flow and Kahn process networks. 

Signal value errors can have a number of sources. One 
potential source includes a floating-point representation of 
certain numeric values. This can be one of the most wide- 
spread sources of error in the modeling of practical flight- 
critical systems. 

Accordingly, the characteristics of each source of signal 
value error can be different. Embodiments of the subject 
matter described herein can represent these different error 
characteristics and can enable translation between these error 
characteristics. 

In an example, the subject matter herein can be used to 
determine a magnitude of error on an output of a system given 
a characterization of signal value error for input signal(s) to 
the system. In an example, the subject matter herein can be 
used to determine if signal value error can non-deterministi- 
cally change the behavior of the system. For example, the 
subject matter herein can be used to identify if and where 
signal value error can potentially cause a mode change to 
occur too early or too late. 

In an example, the subject matter herein can be used to 
detect error-induced underflow. Underflow can include the 
condition when the result of a floating-point operation is 
smaller than the smallest representable value. For example, if 
a feedback loop increments a signal by one each period and 
the signal is stored as a 32-bit float, afterthe signal increments 
to near 100,000,000 the rounding error may negate the incre- 
ment operation. Thus, the signal might not ever reach a par- 
ticular value that is greater than 100,000,000. Error- induced 
underflow is similar, but can be due to any source of signal 
value error. Error-induced underflow can be detected by 
quantifying the signal value error for an output signal from a 
flinctional block and determining if the signal value error can 
negate the operation performed by the functional block. 

In an example, the subject matter herein can be used to 
determine if signal value error can move ranges of an output 
signal from a functional block outside of accepted range. An 
output signal outside of the accepted range can cause over- 
flows or exceptions. Analyzing the range of output signals 
with signal value error propagation can be used to determine 
whether anomalous behavior is possible for the system. 

FIG. 1 illustrates a computer 100 for execution of a soft- 
ware verification tool. The computer 100 can include one or 
more processing devices 102 (e.g., a central processing unit 
(CPU), microcontroller, microprocessor, etc.) coupled to one 
or more memory devices 104 (e.g., random access memory 
(RAM), a hard drive, an optical medium (CD), etc.). The one 
or more memory devices 104 can include instructions which, 
when executed by the one or more processing devices 102, 
can cause the one or more processing devices 102 to perform 
the functions of a software verification tool as described 
herein. 

Separate from or in addition to the one or more memory 
devices 104, the instructions can be stored on any appropriate 
computer readable medium used for storage of computer 
readable instructions or data structures. The computer read- 
able medium can be implemented as any available media that 
can be accessed by a general purpose or special purpose 
computer or processor, or any programmable logic device. 
Suitable processor-readable media can include tangible 
media such as magnetic or optical media. For example, tan- 
gible media can include conventional hard disks. Compact 
Disk-Read Only Memory (CD-ROM), volatile or non-vola- 
tile media such as Random Access Memory (RAM) (includ- 
ing, but not limited to. Synchronous Dynamic Random 
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Access Memory (SDRAM), Double Data Rate (DDR) RAM, 
RAMBUS Dynamic RAM (RDRAM), Static RAM (SRAM), 
etc.). Read Only Memory (ROM), Electrically Erasable Pro- 
grammable ROM (EEPROM), and flash memory, etc. Suit- 
able processor-readable media can also include transmission 5 
media such as electrical, electromagnetic, or digital signals, 
conveyed via a communication medium such as a network 
and/or a wireless link. 

In an example, the computer 100 can include one or more 
input devices 106 (e.g., a mouse, keyboard, touchscreen, to 
microphone, etc.) for receiving inputs from a user. The com- 
puter 100 can also include one or more output devices 108 
(e.g., a monitor, speaker, light, etc.) for providing output to a 
user. The computer 100 can comprise a desktop computer, 
workstation, laptop, tablet, mobile phone, or other computing 15 
device. In some examples, the computer 100 can be distrib- 
uted in nature. 

As mentioned above, the instructions on the one or more 
memory device 104 can cause the one or more processing 
device 102 to perform the functions of a software verification 20 
tool as described herein. In an example, the software verifi- 
cation tool can utilize an extension of interval arithmetic to 
represent ranges of feasible signal values in order to support 
the computation of range propagation and analysis. 

An interval may be represented by the tuple I=(min, max, 25 
includeMin, includeMax) where min represents the lower 
bound endpoint of the interval, max represents the upper 
bound endpoint of the interval, includeMin indicates if the 
min value is included in the interval, includeMax indicates if 
the max value is included in the interval. As used herein, the 30 
common interval notation of the min and max values enclosed 
in parentheses or brackets depending on whether or not the 
associated endpoint is included in the internal. For example, 
the interval (3, 7] indicates the interval I=(3, 7, false, true). 

A range may be comprised of a set of intervals. In one 35 
embodiment, the set of intervals may be a non-overlapping set 
of intervals. 

A range can include data type information. Data type infor- 
mation may be used for checking for value overflow and 
underflow and to guide certain type-specific range operations. 40 
The data type information can indicate the included set of 
values between the min and max endpoints. If data type 
information in unavailable, a default data type can be 
assigned. 

In one embodiment a range can include a property “type” 45 
from the set T, where T={Boolean, Integers, IntegerI6, Inte- 
ger32, Integer64, UnsignedS, Unsignedlfi, Unsigned32, 
Unsigned64, Float32, Float64, Undefined}. Other sets of 
types are also possible. 

A range can be specified as the tuple R=(min, max, inclu- 50 
deMin, includeMax, C, T), where: min represents the lowest 
bound endpoint of all min values of all included intervals, 
max represents the upper bound endpoint of all max values of 
all included intervals in the range, includeMin indicates if the 
min value is included in the range, includeMax indicates if the 55 
max value is included in the range, C is the ordered set of 
intervals. For example, the range [1,5] may include the inter- 
vals [1, 2) and [2, 5]. In one embodiment, a range can be 
hierarchically composed of multiple non-overlapping child 
ranges. 60 

In an example, the software verification tool can use a 
model of a system under test having one or more functional 
blocks connected according to a graph structure. In an 
example, the graph structure can include a directed graph. 
The software verification tool can use the model to compute 65 
one or more ranges for one or more output signals from the 
model. In an example, the software verification tool can use 
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the model along with specifications for one or more ranges of 
one or more input signals to the model to compute the one or 
more ranges for the one or more output signals. To compute 
the range(s) for the output signal(s), the software verification 
tool can propagate the range(s) for the input signal(s) topo- 
logically through the functional blocks until the output signal 
(s) are reached. A functional block v of the set V can have a set 
of inputs (X) and a set of outputs (Y), corresponding to edge 
sources and targets. A functional block can map one or more 
ranges for one or more input signals for the functional block 
to one or more ranges for one or more output signals for the 
functional block. The mapping of an output signal for a func- 
tional block from one or more input signals for the functional 
block can be defined by a range mapping function. Different 
output signals for a functional block can have different range 
mapping functions corresponding thereto. The range map- 
ping fimction(s) for a functional block can be used to deter- 
mine the range(s) for the output signal(s) for the functional 
block as a function of the range(s) of the input signal(s) for the 
functional block. 

FIG. 2 illustrates an example of how range propagation can 
be performed for a model 200 for a system under test as 
described in U.S. patent application Ser. No. 13/006,750 
entitled “Type and Range Propagation through Data-Flow 
Models” filed on Jan. 14, 2011, the disclosure of which is 
hereby incorporated herein by reference in its entirety. The 
model 200 can include a first input signal block 202 and a 
second input signal block 204. An input signal block repre- 
sents an input signal to the model. In an example, the first 
input signal can have a range of expected values of -100.0 to 
200.0 (i.e., [-100.0, 200.0]). The expected values forthe input 
signal can include the one or more values in which the input 
signal can have not including signal value error for the input 
signal. In this example, the second input signal can have a 
range of expected value of [-50.0, 50.0]. For simplicity, in 
this example, the floating-point type of all ranges is 
(T=Float32), however, it should be understood that other 
floating-point types can be used. 

In model 200. the first input signal 202 is the input signal to 
the numerator of two functional blocks 206, 208 implement- 
ing a divide function. The second input signal 204 is the input 
signal to a function block 210 implementing a range limit 
function. Functional block 210 can limit the input signal to 
values within defined bounds (e.g., minimum and maximum 
bounds). Values outside the bounds can be constrained to the 
minimum or maximum bound as appropriate. In this 
example, functional block 210 can limit an input signal to the 
range [-10.0, 10.0]. Accordingly, forthe range [-50.0, 50.0] 
of the second input signal 204, the range of the output signal 
for functional block 210, according to the range mapping 
function for functional block 210, is [-10.0, 10.0]. 

In model 200, the output signal from functional block 210 
is input to two functional blocks 212, 214 implementing sum 
functions. The ranges for the other input signals to functional 
blocks 212, 214 are constants. Accordingly, the range for the 
output signal from functional block 212 is [-5.0, 15.0] and the 
range for the output signal from functional block 214 is [2.0, 
22.0]. These output signals are provided to the functional 
blocks 206, 208. The range of the output signal from func- 
tional block 208 is [-50.0, 1 00.0], and the range of the output 
signal from functional block 206 is (-infinity, infinity) since 
the range of the input signal for the denominator of functional 
block 206 includes zero. The model 200 can include output 
signal blocks 216, 218 that are connected to the output signals 
of functional blocks 206, 208 respectively. An output signal 
block represents the output signal of the model. As shown, the 
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value being input to output block 216 can spike to positive or 
negative infinity which may cause a run-time exception in the 
system under test. 

To support detection of such potential exceptions, the 
range propagation routine for the divide block can include a 5 
check to ensure there is a safe region around zero of the 
denominators signal range. If this safe region is entered, a 
warning can be produced. This is an example of a block- 
centric range analysis that is built on top of range propagation. 
Examples of other checks includes: (i) determining if the to 
ranges of the inputs signals of functional blocks implement- 
ing square root functions are greater than or equal to zero, (ii) 
determining if switch controller ranges are greater than or 
equal to one and less than or equal to the number of switched 
signals, and (iii) determining if signal ranges are contained 15 
within the minimum and maximum values of their associated 
language-independent types for integer data types (e.g., 
between 32,768 and 32,767 for a 16-bit integer). 

Range propagation can also be used to prune the search 
space associated with requirements-based test generation as 20 
described in U.S. Pat. No. 7,644,334, entitled “Requirements- 
Based Test Generation” filed on Nov. 26, 2007, the disclosure 
of which is hereby incorporated herein by reference in its 
entirety. 

In an example, the software verification tool does not rely 25 
on continuous dynamics or notion of time, as used in hybrid 
automata or time automata to capture and analyze a mix of 
continuous dynamics and discrete state transitions. This is not 
a limitation in practice, as exhaustive analysis is typically 
infeasible on complex practical models of a system undertest. 30 
In fact, many large avionics control systems are currently 
designed using discrete time notation, from a practical per- 
spective, since the flight code implementation uses periodic 
execution and scheduling. The advantage of the discrete 
approach for time representation is scalability on complex 35 
models, which has many practical benefits. 

In order to analyze the effect of the structure of a model of 
a system under test as well as the effect of error on potential 
behavioral non-determinism, range propagation can be 
extended to also propagate signal value error and analyze its 40 
potential effect. 

In order to capture signal value errors, the endpoints of all 
intervals I in range R have an associated signal value error. 
One or more intermediate values from a signal range may 
have associated signal value error represented. The more 45 
values for which signal value error is represented, the more 
accurate the error analysis can be. However, the computation 
required to perform the error propagation can also increase. 

In one embodiment, an intermediate value in the range may 
have associated signal value error represented. Accordingly, 50 
the signal value error for the intermediate value can be propa- 
gated through a functional block to determine an intermediate 
value error range. The signal value error for the intermediate 
value can be sent through the function block by using the 
range mapping function in the same manner as discussed with 55 
respect to the signal value error for the endpoints of a range. 

In one example, the intermediate value for which signal value 
error is sent through the functional block can be a value near 
zero. In another embodiment, the intermediate value may be 
a midpoint in the range. 60 

In one embodiment, the signal value error is represented as 
an interval associated with a particular value of the signal 
range. In an example, intermediate signal error values can be 
determined by interpolation of endpoint signal error values. 

In another embodiment, the signal value error is repre- 65 
sented as a single value, k, that is relative to all feasible values 
of a range. In an example, endpoint signal error values and/or 
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intermediate signal value errors can be determined by multi- 
plying the particular value of the range by the value k. 

In yet another embodiment, the signal value error is repre- 
sented as an error function of a value in the range. In this 
example, endpoint signal error values and/or intermediate 
signal value errors can be determined by applying the error 
function to the particular value of the range. 

FIG. 3 graphically illustrates how an error interval can be 
associated with both endpoints of an interval. It shows inter- 
val [2, 7) with minimum value error [-0.5, 0.5] and maximum 
value error [-0.5, 1.0]. In this example, the actual values 
observed may range from [1.5, 8). 

FIG. 4 illustrates an example of a method 300 for propa- 
gating signal value error through a functional block in a 
model. In this example, method 300 is described with respect 
to a functional block b with n input signals having ranges that 
have been detennined. 

At block 302, one or more ranges for the one or more output 
signals of the functional block b can be determined as a 
function of the ranges corresponding to the expected values 
(e.g., without signal value error) for the n input signals as 
described with respect to FIG. 2. That is, range(s) for the 
output signal(s) can be determined using the range mapping 
function for the functional block b based on the range(s) of the 
expected values of the input signal(s) not including signal 
value error for the input signal(s). A range for an input signal 
can include a maximum value and a minimum value and one 
or more intervals. 

At block 304, a set of error extended ranges for an input 
signal can be calculated. The set of error extended ranges for 
an input signal can include all permutations of the ranges of 
the signal value errors for the input signal added to the respec- 
tive maximum and minimum values of the range of the input 
signal. 

A set of error extended ranges for an input signal is calcu- 
lated by adding the min and max of the signal value error 
intervals to each range interval endpoint. This results in m 
pairs of error extended ranges where m is the total number of 
end-points (e.g., unique min and max values in all intervals of 
a range. 

At block 306, the set of ranges for the error extended output 
signals can be determined. The set of ranges for the error 
extended output signal can be determined by propagating 
each range of the set of error extended ranges for the input 
signals through the functional block. That is, each range of the 
set of error extended ranges for the first input signal is 
matched with each error extended range for the second and 
remaining input signals. All permutations of error extended 
ranges can be mapped to an error extended output signal 
range by using the range mapping function of the functional 
block b. 

At block 308, the ranges of the minimum and maximum 
values for the set of ranges of error extended output values can 
be determined. Each range in the set of ranges of error 
extended output values has a maximum and a minimum 
value. Accordingly, the maximum values of the set of ranges 
occupy a certain range and the minimum values of the set of 
ranges occupy a certain range. These ranges are determined 
accordingly. 

At block 310, the ranges for the minimum and maximum 
values for the set of ranges of error extended output values can 
be subtracted from the minimum and maximum value from 
the range of output signal determined at block 302 to deter- 
mine the ranges of signal value error for the output signal of 
the functional block b. That is, a range of signal value error 
corresponding to the maximum value in the range of the 
output signal determined at block 302 can be determined as 
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the range of the maximum values for the set of error extended 
output values subtracted from the maximum value of the 
range of output signal determined in block 302. Similarly, a 
range of signal value error corresponding to the minimum 
value in the range of the output signal determined at block 302 
can be determined as the range of the minimum values for the 
set of error extended output values subtracted from the mini- 
mum value of the range of output signal determined in block 
302. 

Once determined the range of the output signal (without 
error) as determined in block 3 02 and the ranges for the signal 
value error corresponding to the output signal can be provided 
to a functional block downstream from the functional block b. 
In examples where the functional block b has multiple output 
signals, the method 300 can be performed for each output 
signal. 

Example pseudocode for method 300 is as follows: 


1 : propagate the set of ranges through the incident block, b, as normal to 
result in output signal ranges without error 
2: for all input signal ranges, r, of block b do 
3 : for all endpoints v of r do 

4: create two error-extended endpoint values by adding to v the min 

and max values of its associated error 
5 : end for 

6: end for 

7: create all feasible combinations of error-extended ranges from 
error-extended endpoint values 
8: for all combinations of error-extended ranges do 
9: propagate the error-extended range through b to result in a set of 
error-extended output ranges 
10: end for 

11: for all endpoints of the output signal ranges without error do 
12: determine the min and max values among all of the associated 

error-extended endpoint values 

13: compute the error at the endpoint by subtracting these min and 

max values 
14: end for 


In other examples, a range of signal value error can be 
calculated at intermediate values other than or in addition to 
the maximum and minimum values for the range of the output 
signal by following method 300. For example, a range of 
signal value error can be computed at zero or at a midpoint 
value in the range of the output signal. In an example, these 
signal value errors can be captured by introducing intervals in 
the range and using the interval endpoints to define their 
respective set of ranges for signal value error. 

Method 300 can be performed for all functional blocks in a 
model in order to propagate range and associated signal value 
error through a model. For example, method 300 can be used 
for multiple or all blocks in a model for a system under test. 
Using method 300 range values and error values associated 
with the range values can be propagated through a plurality of 
functional blocks corresponding to the model of a system 
under test by calculating in topological order output signal 
ranges and minimum output signal error ranges and a maxi- 
mum output signal error ranges for the plurality of functional 
blocks receive. This process can be used to perform block- 
centric analysis on the error extended input signal ranges of 
one or more functional blocks in the model to determine if 
error extended anomalies are possible. In an example, if an 
error extended anomaly is determined for one or more func- 
tional blocks an error (e.g., a warning) can be output to alert 
a user that the model may include an error extended anomaly. 

FIG. 5 illustrates an example of a model 400 for a system 
under test in which signal value error is propagated through 
the model 400. Model 400 includes a first input signal 402 and 
a second input signal 404 with ranges of [-2000.0 1000.0] 
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and [100.0 499.0], respectively. For simplicity, model 400 
uses floating-point types of all ranges (T=Float32), and does 
not show type information. The signal value error associated 
with the minimum and maximum signal values are given from 
5 the below the ranges. For example, the signal value error 
associated with the range of input signal 402 is [-0.2, 0.2] at 
the min value of -2000 and [-0.1, 0.1] at the max value of 
1000. So output signal values can be expected ranging any- 
where from -2000.2 to 1000.1. Similarly, the signal value 
error associated with the range of input signal 404 is [-0.3, 
0.2] at the min value of 100 and [-0.4, 0.1] at the max value 
of 499. 

Computing the signal value error at the output of functional 
block 406, which implements a sum function, involves first 
computing the range of the output signal without signal value 
error. This is [ 1 , 400] . Next the set of error extended input 
signal values are computed. These are [99.7, 498.6], [99.7, 
499.1], [100.2, 498.6], [100.2, 499.1] from input signal 404 
20 and [-99.0099], [-98.9901 ] for the constant 408. All permu- 
tations of these two sets of error extended values are propa- 
gated through the functional block 406. Hence, the set of 
ranges for the error extended output signal is: RMFsum 
([99.7, 498.6], [-99.0099])=[0.6901, 399.5901], RMFsum 
25 ([99.7, 499.1], [-99.0099])=[0.6901, 400.0901], RMFsum 
([100.2, 498.6], [-99.0099])=[1.1901, 399.5901], RMFsum 
([100.2, 499.1], [-99.0099])=[1.1901, 400.0901], RMFsum 
([99.7, 498.6], [-98.9901 ])=[0.7099, 399.6099], RMFsum 
([99.7, 499.1], [-98.9901 ])=[0.7099, 400.1099], RMFsum 
30 ([100.2, 498.6], [-98.9901])=[1.2099, 399.6099], RMFsum 
([100.2, 499.1], [-98.9901])=[1.2099, 400.1099], where 
RMFsum is the range mapping function of functional block 
406. In this case RMFsum can specify that the inputs’ mini- 
mum values can be added together to get the output minimum 
35 value and the inputs’ maximum values can be added together 
to get the output maximum value. 

Finally, the smallest and largest low and high error 
extended values are subtracted from the output range that was 
computed without error, as such [0.6901, 1.2099]-[1]=[- 
40 0.3099, 0.2099] and [399.5901, 400.1099]-[400]=[-0.4099, 
0.1099] to result in an output signal with range [1, 400], low 
value error of [-0.3099, 0.2099], and high value error of 
[-0.4099, 0.1099]. 

FIG. 5 shows the values without error as well as the corre- 
45 spending low and high signal value errors for each signal as it 
is propagated tlirough the model 400 . Note the large error that 
is the result of performing the computation of functional 
block 406 and feeding the results directly into the denomina- 
tor of the functional block 410 which implements a divide 
50 function. The resulting high end error is [-898.4, 347.1]. This 
shows how particular multi-block structures can amplify 
error unexpectedly. The signal value error for functional 
block 412, implementing a divide function, is mitigated 
somewhat due to the functional block 414 implementing a 
55 range limiter function. 

FIG. 6 illustrates an example of a model 500 for a system 
under test having both continuous and discrete signals in 
which signal value error is propagated through the model 500 . 
In this model, the output of the functional block 502 imple- 
60 menting a divide function is provided directly to the func- 
tional block 504 implementing a floor function. The output of 
functional block 502 is also indirectly provided to the func- 
tional block 506 also implementing a floor function, via the 
functional block 508 implementing a sum function that adds 
65 a small offset value. The function of a floor block is to convert 
a real variable into a whole number by computing the greatest 
integer less than the input value. 
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By following the method 300, the input signal range to 
functional block 504 can be computed as [8.0, 10.0] with 
range for the low signal value error of [-0.0008, 0.0008] and 
range for the high signal value error of [-0.001, 0.001]. 

Following the method 300, the range of the output signal 5 
without error is determined for functional block 504. This 
range includes the whole numbers 8, 9, and 10. No values 
between the whole numbers are included. Next the set of error 
extended input signal values are computed. These are 
[7.9992], [8.0008], [9.999], [10.001]. All these error-ex- to 
tended values are propagated through the functional block 
504. Hence, RMFfloor([7.9992])=[7], RMFfloor([8.0008])= 

[8] , RMFfloor([9.999])=[9], RMFfloor([10.001])=[10]. 

Finally, the smallest and largest low and high error-propa- 
gated values are subtracted from the output range that was 15 
computed without error, as such [7]-[8]=[l]; [8]-[8]=[0]; 

[9] -[ 1 0] =[ 1 ] ; [ 1 0] - [ 1 0] =[0] ; to result in an output signal with 
range [8,10], range for the low signal value error of [ 1 , 0] , and 
range for the high signal value error of [1, 0]. Note that the 
signal value error can be computed for the value nine of this 20 
range if the signal value error associated with this value is 
computed (e.g., by interpolation) at the inputs of model 500 
and propagated through the model 500. 

As can be seen, the output of functional block 506 has an 
associated signal value error of [0, 0] . The reason is that since 25 
the small offset added to the output of the functional block 
502 is greater than the signal value error at that point, it is not 
possible for the minimum signal value error to pull the signal 
value down to result in the next lower integer value. In the past 
the offset value has needed to be estimated. Using method 30 
300, the offset can be determined by computing the propa- 
gated error at the signal just prior to the functional block 508. 
Then the value of the constants block should be set slightly 
greater than the high end max error value to eliminate all 
downstream error. 35 

Propagation of signal value error through a model can be 
performed topologically from input signals to the model, 
following the direction of the connections between fiinctional 
blocks. After the signal value error associated with the input 
ports of a functional block have been determined, the signal 40 
value error associated with the output ports can be computed. 

By following method 300, it may be difficult for the signal 
value error to be computed in the case of feedback loops on all 
input ports for one or more functional blocks. This is because 
the signal value error at the input ports may be directly or 45 
indirectly dependent upon the signal value error associated 
with the output ports of the same or downstream functional 
blocks. Nested feedback structures are also possible. 

One embodiment that addresses the issue of feedback sig- 
nals in models is to develop a library of common feedback 50 
patterns that are comprised of structures of blocks and wires. 

For each pattern, a range mapping function can be written. 
After this library is created, it can be applied on any model as 
follows: (i) detect instances of any of the feedback patterns, 

(ii) to replace the detected structures with a single functional 55 
block in which the feedback is internal to the block, (iii) This 
new functional block can be handled the same way as other 
functional blocks. 

FIGS. 7 and 8 illustrate this method. FIG. 7 illustrates 
model 600 with feedback signals 602 and 603. In this model 60 
600, it may not be possible to compute the signal value error 
on all of the inputs of the functional block 604, implementing 
a switch function, using only a topological algorithm. This is 
because one of the input signals for functional block 604 
depends (indirectly through the functional block 606 (imple- 65 
menting a sum function) and the functional blocks 608 
(implementing a delay function)) on its output signal 603. 
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Similarly, it is not possible to compute the signal value error 
on all of the inputs of the functional block 610 that imple- 
ments a logical OR function due to feedback signal 602. In 
one embodiment, a pattern recognizer can be used to detect 
the existence of the particular structure of a plurality of func- 
tional blocks (e.g., functional blocks 604, 606, 608, 610, 612) 
and replace the pattern with a single functional block. 

FIG. 8 illustrates a model 700 in which the pattern of the 
feedback loop from FIG. 7 has been replaced with the func- 
tional block 702 implementing a feedback counter function. 
Note in FIG. 8, the internals of the functional block 702 are 
shown, but in other examples the internals are not shown. The 
model 700 of FIG. 8 no longer has a feedback loop. Hence the 
method 300 can be successfully applied to the model 700 

In one example, the range mapping function for the func- 
tional block 702 can be dependent upon the number of itera- 
tions through the loop. The range mapping function can stati- 
cally compute the bound of the number of iterations through 
the loop in order to compute a tight range and error bound for 
the model 700. 

For nested feedback structures, start with the leaf-level 
feedback structures and perform pattern identification and 
replacement. Then move up to the next higher level, and so 
on. 

Another embodiment that addresses the issue of feedback 
signals in models is to automatically break the feedback loop 
by determining the feed back signals and setting a default 
(and conservative) error value to those signals. This error 
value may be dependent upon a bound of the number of 
iterations through the feedback structure. 

In an example, certain classes of functional blocks perform 
computations that take continuous input signals and produce 
output signals that vary in discrete increments. For example, 
rounding operators such floor, round, ceiling, and flx convert 
a continuous signal into a discrete signal that varies in integer 
increments. Likewise comparison operators, such as great- 
erEql 510 and greaterEq2 512 in FIG. 6, may compare two 
continuous signals and produce a Boolean output signal. For 
this class of blocks, the impact of error may be much greater 
than the mere propagation of the error to the output results; 
the error can cause non-deterministic and/or anomalous 
behavior. 

For these classes of blocks, analysis of the model can be 
implemented for several classes of blocks to report any poten- 
tial for non-determinism. The analysis can be performed by a 
niunber of methods, in particular (i) extended-type checking 
and (ii) evaluating block-specific predicates over the set of 
intervals and errors. 

For example, the error margins at the decisions points that 
impact the block behavior can be analyzed to determine if 
they can potentially affect the result. In the example of FIG. 6, 
the software would check at both greater-than blocks 510 and 
512 to determine if the error of either or both of the input 
signal ranges can individually or in conjunction cause an 
otherwise true result to evaluate to false or an otherwise false 
result to evaluate to true. This analysis can determine that for 
the block greaterEql 510, the error in the signal from fioor 1 
block 504 can cause an otherwise true result to evaluate to 
false (i.e., when v=[10] and e=[l]). 

Although specific embodiments have been illustrated and 
described herein, it will be appreciated by those of ordinary 
skill in the art that any arrangement, which is calculated to 
achieve the same purpose, may be substituted for the specific 
embodiments shown. Therefore, it is manifestly intended that 
this invention be limited only by the claims and the equiva- 
lents thereof. 
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Example Embodiments 

Example 1 includes a method comprising: providing an 
input signal range corresponding to a range of expected val- 
ues for an input signal to a functional block; providing a 5 
minimum value error range corresponding to a range of error 
for a minimum value endpoint of the input signal range and a 
maximum value error range corresponding to a range of error 
for a maximum value endpoint of the input signal range; 
mapping the input signal range to one or more output signal to 
ranges as a function of a range mapping function correspond- 
ing to the functional block; calculating a set of error extended 
input signal ranges by: adding a min endpoint of the minimum 
value error range to the minimum value of the input signal 
range; adding a max endpoint of the minimum value error 15 
range to the minimum value of the input signal range; adding 
the min endpoint of the maximum value error range to the 
maximum value of the input signal; and adding the max 
endpoint of the maximum value error range to the maximum 
value of the input signal range; mapping the set of error 20 
extended input signal ranges to a set of error extended output 
signal ranges as a function of the range mapping function; and 
calculating a minimum output error range and a maximum 
output error range as a function of a difference between the set 
of error extended output signal ranges and the output signal 25 
ranges. 

Example 2 includes a system comprising: at least one pro- 
cessing device; at least one memory device coupled to the at 
least one processing device, the at least one memory device 
having instructions thereon for execution by the at least one 30 
processing device, wherein the instructions, when executed 
by the at least one processing device, cause the at least one 
processing device to: receive an input signal range corre- 
sponding to a range of expected values for an input signal to 
a functional block; receive a minimum value error range 35 
corresponding to a range of error for a minimum value end- 
point of the input signal range and a maximum value error 
range corresponding to a range of error for a maximum value 
endpoint of the input signal range; map the input signal range 
to one or more output signal ranges as a function of a range 40 
mapping function corresponding to the functional block; cal- 
culate a set of error extended input signal ranges by: adding a 
min endpoint of the minimum value error range to the mini- 
mum value of the input signal range; adding a max endpoint 
of the minimum value error range to the minimum value of the 45 
input signal range; adding the min endpoint of the maximum 
value error range to the maximum value of the input signal; 
and adding the max endpoint of the maximum value error 
range to the maximum value of the input signal range; map 
the set of error extended input signal ranges to a set of error 50 
extended output signal ranges as a function of the range 
mapping function; and calculate a minimum output error 
range and a maximum output error range as a function of a 
difference between the set of error extended output signal 
ranges and the output signal ranges. 55 

Example 3 includes a computer readable medium includ- 
ing instructions which, when executed by at least one proces- 
sor, cause the at least one processor to: receive an input signal 
range corresponding to a range of expected values for an input 
signal to a functional block; receive a minimum value error 60 
range corresponding to a range of error for a minimum value 
endpoint of the input signal range and a maximum value error 
range corresponding to a range of error for a maximum value 
endpoint of the input signal range; map the input signal range 
to one or more output signal ranges as a function of a range 65 
mapping function corresponding to the functional block; cal- 
culate a set of error extended input signal ranges by: adding a 


min endpoint of the minimum value error range to the mini- 
mnm value of the input signal range; adding a max endpoint 
of the minimum value error range to the minimum value of the 
input signal range; adding the min endpoint of the maximum 
value error range to the maximum value of the input signal; 
and adding the max endpoint of the maximum value error 
range to the maximum value of the input signal range; map 
the set of error extended input signal ranges to a set of error 
extended output signal ranges as a function of the range 
mapping function; and calculate a minimum output error 
range and a maximum output error range as a function of a 
difference between the set of error extended output signal 
ranges and the output signal ranges. 

In Example 4 the subject matter of any of Examples 1 -3 can 
optionally include wherein calculating a set of error extended 
input signal ranges includes calculating permutations of the 
min and max endpoints of the minimum value error interval 
added to the minimum value of the input signal range and the 
maximum value error range added to the maximum value of 
the input signal range. 

In Example 5, the subject matter of any of Examples 1-4 
can optionally include wherein each error extended output 
signal range has a minimum value and a maximum value; 
wherein calculating a minimum output error range includes 
calculating a difference between a smallest of the minimum 
values of the set of error extended output signal ranges and a 
minimum value of the output signal range, and calculating a 
difference between a largest of the minimum values of the set 
of error extended output signal ranges and the minimum value 
of the output signal range; and wherein calculating a maxi- 
mum output error range includes calculating a difference 
between a smallest of the maximum values of the set of error 
extended output signal ranges and a maximum value of the 
output signal range, and calculating a difference between a 
largest of the maximum values of the set of error extended 
output signal ranges and the maximum value of the output 
signal range. 

In Example 6, the subject matter of any of Examples 1-5 
can optionally include: providing an intermediate value error 
range corresponding to a range of error for an intermediate 
value of the input signal range; mapping the intermediate 
value to a corresponding one or more output intermediate 
value as a function of the range mapping function; calculating 
a set of error extended intermediate signal valued by: adding 
the min endpoint of the intermediate value error range to the 
intermediate value of the input signal range; adding the max 
endpoint of the intermediate value error range to the interme- 
diate value of the input signal range; mapping the set of error 
extended intermediate values to a set of error extended output 
intermediate values as a function of the range mapping func- 
tion; and calculating an intermediate value output error range 
as a function of a difference between the set of error extended 
output intermediate values and the error extended intermedi- 
ate values. 

In Example 7, the subject matter of any of Examples 1-6 
can optionally include wherein the input signal range consists 
of a constant value. 

In Example 8, the subject matter of any of Examples 1-7 
can optionally include wherein the input signal range 
includes two or more intervals, and wherein each interval has 
a corresponding minimum value error range and a maximum 
value error range, and calculating output signal error ranges 
corresponding to the two or more intervals. 

In Example 9, the subject matter of any of Examples 1-8 
can optionally include: performing block-centric analysis on 
the error extended input signal ranges to determine if error 
extended anomalies are possible. 
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In Example 10, the subject matter of any of Examples 1-9 
can optionally include: propagating range values and error 
values associated with the range values through a plurality of 
functional blocks corresponding to a model of a system under 
test by calculating in topological order output signal ranges 
and minimum output signal error ranges and a maximum 
output signal error ranges for the plurality of functional 
blocks receive. 

In Example 1 1, the subject matterofany ofExamples 1-10 
can optionally include wherein the model includes one or 
more feedback signals; detecting a feedback pattern; and 
replacing the feedback pattern with a functional block prior to 
propagating range values and error values. 

In Example 12, the subject matterofany ofExamples 1-11 
can optionally include wherein the functional block receives 
a plurality of input signals, and wherein the input signal range 
corresponds to at least one of the plurality of input signals. 

What is claimed is: 

1. A method comprising: 

providing an input signal range corresponding to a range of 
expected values for an input signal to a functional block; 

providing a minimum value error range corresponding to a 
range of error for a minimum value endpoint of the input 
signal range and a maximum value error range corre- 
sponding to a range of error for a maximum value end- 
point of the input signal range; 

mapping the input signal range to one or more output signal 
ranges as a function of a range mapping function corre- 
sponding to the functional block; 

calculating a set of error extended input signal ranges by: 
adding a min endpoint of the minimum value error range 
to the minimum value of the input signal range; 
adding a max endpoint of the minimum value error range 
to the minimum value of the input signal range; 
adding the min endpoint of the maximum value error 
range to the maximum value of the input signal; and 
adding the max endpoint of the maximum value error 
range to the maximum value of the input signal range; 

mapping the set of error extended input signal ranges to a 
set of error extended output signal ranges as a function of 
the range mapping function; and 

calculating a minimum output error range and a maximum 
output error range as a function of a difference between 
the set of error extended output signal ranges and the 
output signal ranges. 

2. The method of claim 1, wherein calculating a set of error 
extended input signal ranges includes calculating permuta- 
tions of the min and max endpoints of the minimum value 
error interval added to the minimum value of the input signal 
range and the min and max endpoints of the maximum value 
error range added to the maximum value of the input signal 
range. 

3. The method of claim 1, wherein each error extended 
output signal range has a minimum value and a maximum 
value; 

wherein calculating a minimum output error range 
includes calculating a difference between a smallest of 
the minimum values of the set of error extended output 
signal ranges and a minimum value of the output signal 
range, and calculating a difference between a largest of 
the minimum values of the set of error extended output 
signal ranges and the minimum value of the output sig- 
nal range; and 

wherein calculating a maximum output error range 
includes calculating a difference between a smallest of 
the maximum values of the set of error extended output 
signal ranges and a maximum value of the output signal 
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range, and calculating a difference between a largest of 
the maximum values of the set of error extended output 
signal ranges and the maximum value of the output 
signal range. 

5 4. The method of claim 1, comprising: 

providing an intermediate value error range corresponding 
to a range of error for an intermediate value of the input 
signal range; 

mapping the intermediate value to a corresponding one or 
to more output intermediate value as a function of the range 

mapping function; 

calculating a set of error extended intermediate signal val- 
ued by: 

adding the min endpoint of the intermediate value error 
15 range to the intermediate value of the input signal range; 

adding the max endpoint of the intermediate value error 
range to the intermediate value of the input signal range; 
mapping the set of error extended intermediate values to a 
set of error extended output intermediate values as a 
20 function of the range mapping function; and 

calculating an intermediate value output error range as a 
function of a difference between the set of error 
extended output intermediate values and the error 
extended intermediate values. 

25 5. The method of claim 1, wherein the input signal range 

consists of a constant value. 

6. The method of claim 1, wherein the input signal range 
includes two or more intervals, and wherein each interval has 
a corresponding minimum value error range and a maximum 

30 value error range, the method further comprising: 

calculating output signal error ranges corresponding to the 
two or more intervals. 

7. The method of claim 1, wherein the method further 
comprises: 

35 performing block-centric analysis on the error extended 
input signal ranges to determine if error extended 
anomalies are possible. 

8. The method of claim 1, comprising: 

propagating range values and error values associated with 
40 the range values through a plurality of functional blocks 
corresponding to a model of a system under test by 
calculating in topological order output signal ranges, 
minimum output signal error ranges, and maximum out- 
put signal error ranges for the plurality of functional 
45 blocks. 

9. The method of claim 8, wherein the model includes one 
or more feedback signals, the method further comprising: 

detecting a feedback pattern; and 

replacing the feedback pattern with a functional block prior 
50 to propagating range values and error values. 

10. The method of claim 1, wherein the functional block 
receives a plurality of input signals, and wherein the input 
signal range corresponds to at least one of the plurality of 
input signals. 

55 1 1 . A system comprising: 

at least one processing device; 

at least one memory device coupled to the at least one 
processing device, the at least one memory device hav- 
ing instructions thereon for execution by the at least one 
60 processing device, wherein the instructions, when 

executed by the at least one processing device, cause the 
at least one processing device to: 
receive an input signal range corresponding to a range of 
expected values for an input signal to a functional 
65 block; 

receive a minimum value error range corresponding to a 
range of error for a minimum value endpoint of the 
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input signal range and a maximum value error range 
corresponding to a range of error for a maximum 
value endpoint of the input signal range; 
map the input signal range to one or more output signal 
ranges as a function of a range mapping function 5 
corresponding to the functional block; 
calculate a set of error extended input signal ranges by: 
adding a min endpoint of the minimum value error 
range to the minimum value of the input signal 
range; 

adding a max endpoint of the minimum value error 
range to the minimum value of the input signal 
range; 

adding the min endpoint of the maximum value error 
range to the maximum value of tire input signal; and 
adding the max endpoint of the maximum value error 
range to the maximum value of the input signal 
range; 

map the set of error extended input signal ranges to a set 20 
of error extended output signal ranges as a function of 
the range mapping function; and 
calculate a minimum output error range and a maximum 
output error range as a function of a difference 
between the set of error extended output signal ranges 25 
and the output signal ranges. 

12. The system of claim 11, wherein each error extended 
output signal range has a minimum value and a maximum 
value; 

wherein calculate a minimum output error range includes 
calculate a difference between a smallest of the mini- 
mum values of the set of error extended output signal 
ranges and a minimum value of the output signal range, 
and calculate a difference between a largest of the mini- 
mum values of the set of error extended output signal 
ranges and the minimum value of the output signal 
range; and 

wherein calculate a maximum output error range includes 
calculate a difference between a smallest of the maxi- 40 
mum values of the set of error extended output signal 
ranges and a maximum value of the output signal range, 
and calculate a difference between a largest of the maxi- 
mum values of the set of error extended output signal 
ranges and the maximum value of the output signal 45 
range. 

13. The system of claim 11, wherein the instructions, when 
executed by the at least processor, cause the processor to: 

receive an intermediate value error range corresponding to 
a range of error for an intermediate value of the input 50 
signal range; 

map the intermediate value to a corresponding one or more 
output intermediate value as a function of the range 
mapping function; 

calculate a set of error extended intermediate signal valued 55 
by: 

add the min endpoint of the intermediate value error range 
to the intermediate value of the input signal range; 

add the max endpoint of the intermediate value error range 
to the intermediate value of the input signal range; 60 

map the set of error extended intermediate values to a set of 
error extended output intermediate values as a function 
of the range mapping function; and 

calculate an intermediate value output error range as a 
function of a difference between the set of error 65 
extended output intermediate values and the error 
extended intermediate values. 
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14. The system of claim 11, wherein the instructions, when 
executed by the at least one processor, cause the at least one 
processor to: 

perform block-centric analysis on the error extended input 
signal ranges to determine if error extended anomalies 
are possible. 

15. The system of claim 11, wherein the instructions, when 
executed by the at least one processor, cause the at least one 
processor to: 

propagate range values and error values associated with the 
range values through a plurality of functional blocks 
corresponding to a model of a system under test by 
calculating in topological order output signal ranges, 
minimum output signal error ranges, and maximum out- 
put signal error ranges for the plurality of functional 
blocks. 

16. The system of claim 15, wherein the model includes 
one or more feedback signals, wherein the instructions, when 
executed by the at least one processor, cause the at least one 
processor to: 

detect a feedback pattern; and 

replace the feedback pattern with a functional block prior 
to propagate range values and error values. 

17. A non-transitory computer readable medium including 
instructions wliich, when executed by at least one processor, 
cause the at least one processor to: 

receive an input signal range corresponding to a range of 
expected values for an input signal to a functional block; 

receive a minimum value error range corresponding to a 
range of error for a minimum value endpoint of the input 
signal range and a maximum value error range corre- 
sponding to a range of error for a maximum value end- 
point of the input signal range; 

map the input signal range to one or more output signal 
ranges as a function of a range mapping function corre- 
sponding to the functional block; 

calculate a set of error extended input signal ranges by: 
adding a min endpoint of the minimum value error range 
to the minimum value of the input signal range; 
adding a max endpoint of the minimum value error range 
to the minimum value of the input signal range; 
adding the min endpoint of the maximum value error 
range to the maximum value of the input signal; and 
adding the max endpoint of the maximum value error 
range to the maximum value of the input signal range; 

map the set of error extended input signal ranges to a set of 
error extended output signal ranges as a function of the 
range mapping function; and 

calculate a minimum output error range and a maximum 
output error range as a function of a difference between 
the set of error extended output signal ranges and the 
output signal ranges. 

18. The non-transitory computer readable medium of claim 
17, wherein the instructions, when executed by the at least 
one processor, cause the at least one processor to: 

perform block-centric analysis on the error extended input 
signal ranges to determine if error extended anomalies 
are possible. 

19. The non-transitory computer readable medium of claim 
17, wherein the instructions, when executed by the at least 
one processor, cause the at least one processor to: 

propagate range values and error values associated with the 
range values through a plurality of functional blocks 
corresponding to a model of a system under test by 
calculating in topological order output signal ranges. 
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minimum output signal error ranges, and maximum out- 
put signal error ranges for the plurality of functional 
blocks. 

20 . The non- transitory computer readable medium of claim 
19, wherein the model includes one or more feedback signals, 5 
wherein the instructions, when executed by the at least one 
processor, cause the at least one processor to: 
detect a feedback pattern; and 

replace the feedback pattern with a functional block prior 
to propagate range values and error values. to 



